[alto] SECDIR Last Call review of draft-ietf-alto-new-transport-15
Donald Eastlake <d3e3e3@gmail.com> Thu, 12 October 2023 02:38 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: alto@ietfa.amsl.com
Delivered-To: alto@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69D24C14CE39; Wed, 11 Oct 2023 19:38:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.858
X-Spam-Level:
X-Spam-Status: No, score=-1.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AR6GNFz3AbgH; Wed, 11 Oct 2023 19:38:28 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF813C151073; Wed, 11 Oct 2023 19:38:27 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-405361bb94eso6549985e9.0; Wed, 11 Oct 2023 19:38:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697078306; x=1697683106; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=1XI22m8seF9dFymYEZWU14NVrjqEUcu8dASYc5yVTjI=; b=iZ+Z4+/desa36KuoDrO+juYPVAaxXwj3S6rt4rR5a/17MfEts7P1ac7YBEiLIvfzhF 6x80KolbJeWF+fjZLtz9woopalkytv6ovi68bMnUywXV7TdwxMKfCB5lHdmM+6sW95io rTShHnm1QI5UdmWdY42xdIEUOvVZ+mYRodHIBsPNk/C6J6w+8N9qN8UVGTsKYavgCVkA rHo+ITwAfBJPdtZ5xIPmGuEan082WMluRUDO+kUwQ9tktIl7U1yaY8Y6g24LH0VC8kSS ySnXrsXMxOdK/noAPjJdpC3rkUbvYPzvSvYnSwPg2VrPXAHZUyzxTM245iAgDdVZjMqJ Vjxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697078306; x=1697683106; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=1XI22m8seF9dFymYEZWU14NVrjqEUcu8dASYc5yVTjI=; b=dSiWiBMCc7H4lW50VwI6P085eqVhMzTsstNnlyQUB9XrnGdT57B9+l46tyaTSIMAtJ jDbUjWA2WgA2UjiLdGTn7+7pbQlvRxWtxeni2IODxmfwM4GgaPmLSN2QFieZHtzi5Ou4 QGQHEXVMggy0gFAygUeIC5gAliPbm2vXBHX3iwLPMsMVqI7Y21nGie35V6vSz3cXZbAo YljPn56y6GltthC5cHU68y1B6k8UR7wHSzopNjaUwSNyufN5wKLlfUrrVMFZwU6oDn/P KgwYvL7nhyXiBJGkzFMh1/BKdxuTXWH0wNev1eDejX3Kzkm4aWUXv6vFAA8nqoED3D2E eVpw==
X-Gm-Message-State: AOJu0YyDda10FCNLSr73S2RJjumMwhArxBBMINupUSQX3WzJ0n10ba0M BOHoE4NxiHaixor4SRpuy4+kNCr4seFZwGElL1zyEbzKQXs=
X-Google-Smtp-Source: AGHT+IEIdAmTQLaB5fVj7iCNSLi2WLNRP6epayTFMiIl7Qo+p2UWV8N1/E36CA99LeRoHaer5RWJcRAf5fHhQijjzsk=
X-Received: by 2002:a5d:6548:0:b0:327:e070:15b8 with SMTP id z8-20020a5d6548000000b00327e07015b8mr19809890wrv.41.1697078305919; Wed, 11 Oct 2023 19:38:25 -0700 (PDT)
MIME-Version: 1.0
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Wed, 11 Oct 2023 22:38:14 -0400
Message-ID: <CAF4+nEFjO7k=h80hFHD3M6FZMgM43cj4=-VNOw2BVUsDgGJ6-g@mail.gmail.com>
To: "iesg@ietf.org" <iesg@ietf.org>
Cc: secdir <secdir@ietf.org>, draft-ietf-alto-new-transport.all@ietf.org, IETF ALTO <alto@ietf.org>, Last Call <last-call@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/alto/pbXpigiWaaxUyKyT5KdV5AeHN28>
Subject: [alto] SECDIR Last Call review of draft-ietf-alto-new-transport-15
X-BeenThere: alto@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Application-Layer Traffic Optimization \(alto\) WG mailing list" <alto.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/alto>, <mailto:alto-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/alto/>
List-Post: <mailto:alto@ietf.org>
List-Help: <mailto:alto-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/alto>, <mailto:alto-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2023 02:38:28 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. Sorry this review is a bit late. The summary of this review is Ready with Issues. (I did an early review of the -07 version of this draft at which time I found only nits all of which were fixed.) *Security* While I'm not all that into ALTO, it seems to me that this draft is all about messages and message exchanges between ALTO entities where the security (authentication, encryption, ...) has been specified in previous standards track documents such as RFC 7285; however, in Section 9.3, it says the spoofed URIs can be avoided by "encrypting the requests" where I think it should say "authenticating" the requests. There are a few additional security considerations which seem to be covered by the Security Considerations section of this draft. *Other possible issues* - In the update from -14 to -15, huge numbers of all caps RFC 2119 key words have been lowercased. In many instances, this does not look right to me. (There are many other cases but one example is that in Section 8.4, all words in all upper case were lowercased.) - Although there is correct text elsewhere, the last paragraph of Section 6.4, page 24, seems to say you delete a TIPS view if heartbeats time out on one connection for that view. But shouldn't it be all connections going away as there might be multiple? - I am a bit surprised there is nothing about jittering the heartbeat messages to be sure they can't get synchronized between muldtiple clients. Something like the time between them should be varied by an amount randomly selected in the range +0% to -40%. - Section 2.1, Page 6: I think there is something not quite right with the sentence "Prefetching updates can reduce the time to send the request, making it possible to achieve sub-RTT transmission of ALTO incremental updates." It seems muddled. Transmission speed / transmission time isn't affected by prefetching although, of course, the time to satisfy a request can be vastly reduced. Maybe "Prefetching updates can reduce the time to satisfy a request, makit it possible to achieve rapid, sub-RTT ALTO incremental updates." *Nits* - Section 3.1, page 10, "(tag" -> "(a tag" - Section 6.2, page 22, "time unit is second" -> "time unit is a second" Hope these comments are helpful. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 32703 USA d3e3e3@gmail.com
- [alto] SECDIR Last Call review of draft-ietf-alto… Donald Eastlake
- Re: [alto] SECDIR Last Call review of draft-ietf-… Kai GAO
- Re: [alto] SECDIR Last Call review of draft-ietf-… Donald Eastlake